Two more VM:s in VirtualBox on the same laptop to be used as test targets, connected in the same way as the first.

One tricky aspect of this test is that DSR requires a dedicated network interface, and the Pi only has one. This means that everything needs to be set up with the interface configured normally, and then the interface must be reconfigured and the test controlled from the console.

The document 1000k is a dummy file containing 1024000 zeroes. Fetching it at 74.48 requests per second corresponds to a bandwidth of 610 Mbps, a speed physically impossible to achieve through the Pi’s Fast Ethernet interface, but easily achieved using DSR since the return traffic bypasses the load balancer completely. CPU usage on the Pi hovered at 15-20% during the test.

Your private key is in the file your.domain.key. The file your.domain.csr contains your certificate signing request, which needs to be sent to your certification authority. The details of that procedure is different depending on the CA, but should result in you having your new certificate in your possession. Save the certificate as your.domain.crt.

The final piece of information you need is the CA’s certificate, which the CA will provide. Save the certificate as intermediate.crt.

Assuming you managed to cobble together all these files in the directory /etc/pen, the certificate installation is now finished.

Protocol Support

This is easy. Nobody supports SSL 2.0 anymore. SSL 3.0 is only for IE6 on Windows XP, a dwindling user base. TLS 1.0 is still acceptable, but this is not an exercise in acceptability (or compatibility). Throw out everything but TLS 1.2 by putting the following in /etc/pen/https.cfg:

Systemd is an init system for Linux, i.e. a program which runs as PID 1 and controls the startup of daemons and services. It does a bunch of other stuff as well, in a way that isn’t quite in keeping with Unix tradition, and this has caused a bit of controversy. We can ignore that for the purpose of this post.

Red Hat 7 uses systemd as its default init, as will Debian 8. Systemd isn’t configured like the familiar SysV init, so most people tasked with installing Linux servers will need to relearn. For this post, we will look at installing and configuring Pen on a CentOS 7 server.

First we need the Pen binaries. Fortunately that job has already been done for us. Pen is in the “Extra Packages for Enterprise Linux” repository, or EPEL:

yum install epel-release
yum --enablerepo=epel -y install pen

Create a user for pen to run as:

useradd pen

Create a directory for pen to keep its stuff while it is running. We can’t use /var/run because the pen user isn’t allowed to create files there, and we can’t just mkdir /var/run/pen because /var/run is a tmpfs which is recreated when the server boots. Instead we create this file in /etc/tmpfiles.d/:

# /etc/tmpfiles.d/pen.conf
d /var/run/pen 0755 pen pen -

And to actually create the directory:

systemd-tmpfiles --create

Create the configuration files, one per load balanced service. In this case, one for dns and one for http.

Summary: use non-default features but none of the security ones in Pen and you can end up with something not very secure. First I thought “why do that?” but realized that Debian ship Pen without a lot of configuration hints. So here are a few:

Don’t run Pen as root

Use a jail

Use access lists to limit access

Here’s what needs to be done to create a chroot jail for Pen and run it there as a non-root user. Start/stop script added.